Report Date: January 14, 2019
Summary
Players Unknown Battleground (PUBG) has been identified by Wapack Labs as a large-scale proxy participant in major fraud. It is unclear whether PUBG is a witting or unwitting participant, but it is clear that the PUBG network has been abused for fraudulent purposes.
Wapack Labs has yet to identify the specific malware component that is responsible for recruiting PUBG gamers into various botnets. However, the seemingly endless volume of “PUBG bots” indicates a possible backdoor in the PUBG mobile application itself or in the bundled Gvoice program.
Details
Beginning in mid-2018, Wapack Labs began tracking botnet activity targeting numerous organizations. A variety of botnet traffic has been observed however overall trending focused on two categories;
- The first consisting of botnet attacks using compromised servers and home routers,
- The second by way of compromised mobile devices.
In both cases, the compromised device is used as a proxy to connect with endpoints for the purposes of industrial fraud - including mass registration, credential stuffing attacks, or other fraudulent transactions. This report focuses on the category of botnet activity associated with mobile devices and/or computers running Android emulators.
Player Unknown’s Battleground PUBG
PUBG is a massively popular online shooter game and was the biggest game release of 2017. The success of PUBG’s BattleRoyal style of game play led to the creation of similar games like Fortnite, and the adoption of BattleRoyal style gameplay into the competitive ESport arena. PuBG’s success is in part due to the popularity of the mobile version sold by Tencent. Of the 400 million PuBg players, 350 million players use the mobile Tencent version.[1]
In October of 2017 The China Audio-Video and Digital Publishing Association release a statement discouraging BattleRoyal style games saying they are too violent and deviate from Chinese socialist values.[2] This led to a formal agreement between PUBG and the Chinese government allowing the game to be sold in the country with minor changes through the company Tencent who is the largest publisher of games in China. As of June 2018, the mobile version of the game comprised 88 percent of the 87 million daily players.[3]
The mobile PUBG application can be downloaded from Tencent domain filecdn.igamecj.com [4]. A sibling of this domain, lobby.igamecj.com (49.51.42.110), was also observed in communication with many of the bot IPs on port 17500. This endpoint is used for PUBG chat communications as part of Tencent Cloud’s GVoice chat which is bundled with the game. Also observed as part of this were numerous connections to several hundred Tencent IPs addresses over ports 20000-20002. These are likewise associated with GVoice chat and are used for hosting player chat rooms during gameplay. Both versions of the PUBG chat traffic are observable in netflow and in open source from log files uploaded to Virus Total from PUBG gamers:
Example of PUBG/Gvoice chat traffic observed from log files:
|
[5916][1364][20:19:41.034]: GCloud: [GCloud] [2018-11-08 01:20:38 397] | Info | [GCloud] |0x10483390| Connector+Update.cpp:858|handleRecvData| [Connector:0x11568600]: Recv data len:2251, tcp://lobby.igamecj.com:17500
|
Example PUBG/Gvoice traffic on port 20001 observed from log files:
|
[/Users/rdm/ieg_ci/slave/workspace/iGame20/build/Android/jni/../../..//cdnvister/build/Android/jni/../../../src/small_room_agent.cpp(997) JoinRoom()]:[SmallRoomAgent::JoinRoom]:Arg openid 15105966916109608 and url is udp://162.62.16.149:20001,roomID is 12727450649442576151, memberID is 498, roomKey is 4522542966281398, timeout:10000
|
Sample netflow records showing bot connections to lobby.igamecj.com (49.51.42.110):
|
start_time,src_ip_addr,src_cc,dst_ip_addr,dst_cc,proto,src_port,dst_port,tcp_flags,num_pkts,num_octets "2018-11-13 01:00:32",172.58.19.36,US,49.51.42.110,CN,6,62946,17500,16,9000,360000,, "2018-11-13 03:34:27",73.93.141.164,US,49.51.42.110,CN,6,31850,17500,16,3000,120000,, "2018-11-13 06:45:44",49.180.70.172,AU,49.51.42.110,CN,6,58777,17500,16,3000,120000,, "2018-11-13 08:39:27",49.51.42.110,CN,172.58.11.112,US,6,17500,39229,24,3000,1587000,, |
Wapack Labs has yet to identify the specific malware component that is responsible for recruiting PUBG gamers into the botnet. The seemingly endless volume of “PUBG bots” indicates a possible backdoor in the PUBG mobile application itself or in the bundled Gvoice program. Other possibilities could be trojanized mods or a cheats, or a 3rd infected version of PUBG Mobile application itself. While there are a few of these in the wild, the legitimate version of PUBG Mobile can easily be downloaded from Tencent or loaded through the emulator.
There are many anecdotal reports of surreptitious malware installations by Tencent from PUBG mobile players, specifically by users of the Tencent Gaming Buddy emulator which is used to run PUBG mobile on PCs. Several users have also reported that Tencent has bundled cryptocurrency mining software with the Tencent Gaming Buddy. If that latter is true, then this would be a lucrative operation considering there are currently 80 million daily PUBG mobile players.
Conclusion
Analysis is ongoing. However, one thing can be concluded - PUBG gamers are feeding several botnet supply chains. Gamers in general are frequently targeted whether it’s for their processing power as part of cryptocurrency mining operations or for theft of virtual currency used in gaming. PUBG mobile players represent the ideal botnet candidate for several reasons. For one, there is no shortage of them with over 80 million daily players. This ensures a global supply of IP addresses for botnet operators. Second, the mobile version of PUBG is popular among PC players and is enabled through Tencent’s Gaming Buddy emulator. This easily widens the scope devices from mobile devices to PCs.
The glaring intelligence gap at this point is whether Tencent is knowingly facilitating this activity. While there are anecdotal reports of Tencent downloading malware and cryptocurrency miners to gamers system, a smoking gun has yet to be identified. Wapack Labs will continue analysis of Tencent’s emulator and PUBG as well as 3rd party software.
Appendix A
This section provides technical details on 142K bot IPs observed from 23 October, when daily tracking began.
Top Autonomous systems:
|
Bot ASN |
count |
|
AS7922 Comcast Cable Communications, LLC |
12768 |
|
AS4134 No.31,Jin-rong Street |
5770 |
|
AS7018 AT&T Services, Inc. |
4987 |
|
AS701 MCI Communications Services, Inc. d/b/a Verizon Business |
3181 |
|
AS4837 CHINA UNICOM China169 Backbone |
2935 |
|
AS20115 Charter Communications |
2686 |
|
AS22773 Cox Communications Inc. |
2496 |
|
AS36903 MT-MPLS |
2493 |
|
AS3320 Deutsche Telekom AG |
2486 |
|
AS3352 Telefonica De Espana |
2389 |
|
AS3269 Telecom Italia |
2235 |
|
AS5089 Virgin Media Limited |
2226 |
|
AS2856 British Telecommunications PLC |
2139 |
|
AS209 Qwest Communications Company, LLC |
2086 |
|
AS5607 Sky UK Limited |
2045 |
|
AS20001 Time Warner Cable Internet LLC |
2006 |
|
AS3215 Orange |
1851 |
|
AS22394 Cellco Partnership DBA Verizon Wireless |
1812 |
|
AS21928 T-Mobile USA, Inc. |
1668 |
The following map illustrates geolocations for observed bots. The United States and China were consistently the top two.
Top protocol rankings fluctuated daily however frequently observed ones included the following:
- HTTP: ports 80,8080,443
- Bittorrrent: ports 6881-6889,8999, 49152-65534
- PUBG: ports 17500, 2000-20002
- VPN: ports 8888,9339
- Jabber:5222
- Mail protocols: ports23, 993
The following table ranks the most commonly observed hosts seen in communication with the botnet IPs. This data was derived through daily netflow analysis over the course of a month.
|
ip_addr |
cc |
ASN |
Observed bots |
Analyst comment |
|
35.211.30.253 |
US |
AS19527 Google LLC |
10264 |
Mobile ad related:ev.adserve.video |
|
103.235.47.74 |
HK |
AS55967 Beijing Baidu Netcom Science and Technology Co., Ltd. |
9827 |
Duapps.com - multiple apps |
|
209.58.147.67 |
US |
AS394380 Leaseweb USA, Inc. |
7863 |
Mobile ad related |
|
209.197.3.84 |
US |
AS20446 Highwinds Network Group, Inc. |
7789 |
Porn - Xvideo content delivery |
|
35.211.120.82 |
US |
AS19527 Google LLC |
7343 |
Mobile ad related:ev.adserve.video |
|
205.185.216.10 |
US |
AS20446 Highwinds Network Group, Inc. |
7067 |
Content delivery - NFI |
|
205.185.216.42 |
US |
AS20446 Highwinds Network Group, Inc. |
6967 |
Content delivery - NFI |
|
198.11.132.83 |
US |
AS45102 Alibaba (China) Technology Co., Ltd. |
6544 |
Alibaba DNS |
|
69.16.175.10 |
US |
AS20446 Highwinds Network Group, Inc. |
6267 |
mobile ad related;vd.predictionai.com |
|
69.16.175.42 |
US |
AS20446 Highwinds Network Group, Inc. |
6039 |
mobile ad related;vd.predictionai.com |
|
205.147.93.131 |
US |
AS393676 Zenedge Inc |
6015 |
Adware related - possible browser Hijacker/redirect malware |
|
205.185.208.142 |
US |
AS20446 Highwinds Network Group, Inc. |
5697 |
Content delivery - NFI |
|
205.185.208.78 |
US |
AS20446 Highwinds Network Group, Inc. |
5358 |
Content delivery - NFI |
|
104.193.88.125 |
US |
AS55967 Beijing Baidu Netcom Science and Technology Co., Ltd. |
5219 |
Duapps.com - multiple apps |
|
35.227.210.77 |
US |
AS15169 Google LLC |
5149 |
Snapchat content delivery |
|
198.11.132.178 |
US |
AS45102 Alibaba (China) Technology Co., Ltd. |
5146 |
Alibaba DNS |
|
49.51.42.110 |
CN |
AS132203 Tencent Building, Kejizhongyi Avenue |
4932 |
PUBG:lobby.igamecj.com |
|
205.147.93.132 |
US |
AS393676 Zenedge Inc |
4572 |
Adware related - possible browser Hijacker/redirect malware |
|
205.204.101.196 |
US |
AS45102 Alibaba (China) Technology Co., Ltd. |
4203 |
taobao.com- Chinese Ecommerce |
[1] https://www.polygon.com/2018/6/19/17478476/playerunknowns-battlegrounds-sales-pubg-number-of-players
[2] https://www.bloomberg.com/news/articles/2017-10-30/world-s-hottest-pc-game-could-be-banned-in-china-due-to-violence
[3] https://en.wikipedia.org/wiki/PlayerUnknown%27s_Battlegrounds
Comments